Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider

April 2, 2025

Executive Summary

  • Leaked internal chat logs from BlackBasta offer insight into the group’s operational mindset, revealing how operators exploit hybrid environments.
  • While both groups use ransomware for extortion, their methods reflect different strategic models: BlackBasta operates as a RaaS with broad, repeatable techniques for hybrid environments, while Scattered Spider uses cloud-native techniques that exploit identity platforms and service configurations.
  • These differences reflect not just technical preferences, but likely organizational models and sector targeting – underscoring the need for tailored IR plans, cloud-centric readiness assessments and reviews aligned with an organization’s profile.

Introduction

In February 2025, internal chats leaked from the BlackBasta ransomware group, containing over 200,000 messages spanning from 2023 to 2024. This leak offers unprecedented insights into BlackBasta’s internal operations, mindset, and attack methodologies. First identified in April 2022, BlackBasta operates as a ransomware-as-a-service (RaaS) provider whose affiliates have compromised over 500 organizations globally.

Simultaneously, security researchers have documented the rapid evolution of another prominent threat actor: Scattered Spider (a.k.a. UNC3944, Muddled Libra, LUCR-3). Since early 2022, this financially motivated threat actor has launched extortion attacks specifically targeting cloud environments, relying heavily on social engineering techniques to exploit identity management systems such as Okta.

In this analysis, we examine BlackBasta’s internal chats using Hudson Rock’s BlackBastaGPT to parse and translate the chats, allowing us to uncover insights into BlackBasta’s hybrid and cloud-focused attack methods. We then directly compare these tactics to Scattered Spider’s publicly documented cloud-centric techniques, highlighting overlaps and differences. This comparison enables defenders to strengthen their protections across hybrid and cloud enviornments.

BlackBasta’s Cloud Tactics

The leaked chats reveal different techniques and attempts to primarily exploit hybrid environments, but mentions include Azure, AWS, Google Cloud, and Oracle Cloud. The following section presents the observed techniques in greater detail, while providing snippets of the internal chats and further context. 

Azure

Execution of a Payload

Operators demonstrated the ability to execute malicious code directly within cloud environments. In one instance, an operator mentioned launching the payload on a machine in Azure, highlighting how the cloud can serve as an effective execution platform for bypassing traditional defenses. While not explicitly stated, it is assumed that operators leveraged the Run Command feature. Run Command can run scripts on virtual machines remotely by using the VM agent, either through the Azure portal, REST API, or PowerShell for Windows VMs.

Source: "в AZURE пару раз запускал на тачке пейлоад через саму азуру..."

Translation: I launched the payload a couple of times on a machine directly through Azure...

Exploiting Azure-Based Backups

Operators revealed that Azure’s extensive backup infrastructure can be both a target and a tool. They discussed the potential to siphon data from these massive backup setups, suggesting that attackers might leverage this capability to exfiltrate valuable information from cloud storage systems.

Source: "там пиздец бекап приложений есть...там есть отдельная хуйня чисто в азуре короче можно поднять ебейший бекап и туда что бы все утекало..."

Translation: There’s crazy backup infrastructure in there...There’s some separate thing in Azure where you can set up a massive backup, and have everything siphon there...

Pivots to and from ADFS

The chats indicate attempts to use Active Directory Federation Services (ADFS) as a pivot to access broader enterprise services. Although one operator expressed uncertainty about directly compromising Active Directory, they noted that breaching ADFS could lead to access to various services, such as VPN, WEBRDP, or even Azure.

While it is not explicitly stated that ADFS was being used for authentication into the victim’s Azure environment, it is certainly possible. ADFS provides simplified, secured identity federation and web single sign-on (SSO) capabilities. Users federated with Microsoft Entra ID or Microsoft 365 can authenticate using on-premises credentials to access all cloud resources.

Source: "да но ADFS использует Active Directory без базару, но как попасть в Active Directory понятия нет вобще, из ADFS можно попасть по сути в разные службы залупные...может быть там будет в списке какой нибудь VPN доступ это круто или WEBRDP, или же AZURE..."

Translation: Yeah, ADFS uses Active Directory for sure, but I have no idea how to actually get into Active Directory. From ADFS you can potentially access random services...Maybe in that list there’ll be something like VPN access, that would be great — or WEBRDP, or even Azure...

AWS

Operators did not frequently reference AWS, except when potential victims had deployed either VMware ESXi hypervisors or Domain Controllers in AWS. Although ESXi isn’t traditionally cloud-native, it is often deployed in hybrid or private cloud environments. Notably, one instance describes an AWS deployment where an ESXi target’s migration capabilities allowed virtual machines to escape.

Disabling vMotion and Distributed Resource Scheduler (DRS)

BlackBasta noticed that VMs were escaping to other ESXi nodes, likely via vMotion or DRS. They discussed disabling vMotion in an ESXi environment hosted on AWS to prevent VMs from escaping, thereby ensuring persistence for ransomware deployment. To further contain the VMs on the compromised host and guarantee successful encryption, they attempted to execute a command to disable VM autostart control.

Source: “все витуальные тачки убежали на другой esxi... больше 100 шт на одном"..."https://docs.vmware.com/en/VMware-Cloud-on-AWS/...на 8 версиях автостарт не выключается"...vim-cmd hostsvc/autostartmanager/enable_autostart false

Translation: All the virtual machines moved to another ESXi… more than 100 on one host...[VMware Cloud AWS Documention] On version 8, autostart doesn’t turn off...[shell command disables automatic VM autostart]

Google

Avoiding Google Cloud Detections

Operators show awareness of Google Cloud-based detection mechanisms and scanner infrastructure. It is inferred that there is a hesitation to execute payloads due to anti-virus or sandboxing infrastructure.

Source: "ибо там насколько я помню стоят анализаторы гугла – google cloud platform..."

Translation: Because, as far as I remember, Google analyzers are running there – Google Cloud Platform

Oracle 

Exploitation of Oracle Cloud Integration Endpoints

Operators exchanged links and credentials for both Enterprise Resource Planning (ERP) and integration cloud endpoints. This activity likely represents an attempt to access victim Oracle Cloud environments, specifically targeting Oracle Cloud’s Fusion SaaS and Oracle Integration Cloud (OIC) platforms. These actions assist the threat actor in leveraging sensitive enterprise data and further their lateral movement within the target network.

ERP Cloud Test: hxxps://[redacted].fa.ocs.oraclecloud[.]com

OIC Prod: hxxps://[redacted].integration.ocp.oraclecloud[.]com

Scattered Spider’s Cloud Tactics

Scattered Spider (a.k.a. UNC3944, Muddled Libra, LUCR-3) is financially motivated with affiliations to “The Com” or “The Community” – a broader network of young cybercriminals known for SIM swapping, cryptocurrency theft and extortion schemes. While the group is best known for its operations against cloud-native environments, it has also demonstrated the ability to pivot into hybrid infrastructures when needed. 

Security researchers have done a good job publicly documenting the group’s cloud TTPs, offering valuable insights into how Scattered Spider abuses native cloud services, APIs, and identity controls to carry out their operations. Let’s take a closer look at some of their known techniques below using publicly available sources from Palo Alto Networks and Permiso

Initial Access

Scattered Spider employs sophisticated social engineering techniques to gain initial access. They often target administrative users through methods such as SIM swapping, phishing, and exploiting multi-factor authentication (MFA) fatigue. By compromising these high-privilege accounts, they can infiltrate identity providers or platforms, like Okta or Entra ID.

Credential Access and Privilege Escalation

Scattered Spider exploits compromised cloud credentials to escalate privileges. They have been observed authenticating to organizations’ Azure tenants and instantiating Azure Virtual Machines to conduct credential theft activities. These actions facilitate lateral movement to on-premises systems. They also utilize native features of SaaS applications, such as search functionalities in document portals, ticketing systems, and chat applications, to gather information about the organization. In other cases, they leverage AWS IAM, Amazon Simple Storage Service (S3) and AWS Secrets Manager.

Defense Evasion

Scattered Spider is adept at evading detection by minimizing the use of malware or scripts. Instead, they rely on the victim’s own tools and applications, making their activities blend seamlessly with legitimate operations. 

Collection and Data Exfiltration

The threat actor often uses Azure Blob Storage and Azure Files to locate the most valuable data relevant to their attack. They also abuse cloud service provider environments, leveraging legitimate scalability and native functionalities to create new resources that assist with data exfiltration. This includes exploiting services within AWS and Azure to transfer data out of the victim’s environment.

Comparative Analysis

While both threat actors share similar overall objectives, such as disrupting operations and exfiltrating data for extortion, their TTPs diverge significantly. BlackBasta operates as a RaaS, which means its tactics are designed to be easily adopted and executed by a broad affiliate network. This leads to a hybrid approach that leverages both traditional on-premises techniques, like exploiting ESXi hypervisors, and modern cloud tactics. Their methods are built for scalability and broad applicability across varied, often mixed, enterprise environments.

In contrast, Scattered Spider is not a RaaS operation; it has been a more focused group that has specialized in cloud-native tactics, such as abusing AWS IAM APIs and manipulating Azure virtual machines. This specialization indicates a deliberate investment in mastering the intricacies of cloud ecosystems, aligning with the trend of digital transformation where cloud environments increasingly dominate.

Furthermore, these different tactics are likely influenced by sector-specific trends. Organizations in certain verticals such as technology or financial services are more cloud-heavy, making them attractive targets for actors shifting towards cloud-centric methods. Meanwhile, sectors with substantial legacy investments may continue to be vulnerable to hybrid tactics. Ultimately, defenders must adopt layered security strategies that address the full spectrum of TTPs to effectively counter these evolving threats.

  BlackBasta Scattered Spider
Primary Focus Hybrid Environments Cloud Environments
Initial Access Exploits hybrid access vectors (RDP, Citrix, VMware Horizon), Azure/M365 credentials, traditional phishing Targets cloud identities via social engineering and identity providers (Okta, Entra ID)
Execution Scripts payloads via cloud consoles in Azure/VMs, but relies on PowerShell for hybrid environments Primarily leverages cloud-native services and APIs (AWS, Azure) to blend into existing cloud infrastructure
Privilege Escalation Exploits known vulnerabilities and IAM misconfigurations across hybrid setups Manipulates IAM permissions directly within cloud identity providers
Lateral Movement Hybrid lateral movement: pivots between cloud and on-prem using compromised credentials Cloud-native lateral movement: Identity pivoting within SaaS/cloud environments, heavily leveraging federation and API keys
Defense Evasion Avoiding GCP due to detection risks; disable ESXi autostart, or hide VMs Cloud-native evasion techniques (modification of logging/audit pipelines, leveraging legitimate cloud admin tools)
Exfiltration Hybrid approach: combines cloud-based exfiltration (cloud storage buckets) with traditional ransomware tactics (Rclone, SSH tunnels) Pure cloud-focused exfiltration: creates dedicated cloud resources (storage buckets, compute instances) directly within victim CSP to facilitate theft
Impact Ransomware with encryption Ransomware without encryption (data extortion and data deletion)

Resources for Response

As ransomware actors adapt to increasingly diverse infrastructures, incident response strategies must evolve to address the complexities of hybrid, cloud, and multi-cloud environments. To stay resilient, organizations should consider the following:

  • IR Plan: Develop a customized incident response plan that outlines procedures for traditional on-premises attacks and modern, cloud-based intrusions (inclusive of hybrid and multi-cloud).
  • Cloud IR Readiness Assessment: Ensure logging and monitoring controls are properly configured across all environments, particularly in cloud platforms like AWS and Azure to enable timely detection of suspicious activity.
  • Cloud IR Training: Equip IR teams with hands-on experience and platform-specific training in AWS and Azure environments. Familiarity with native logging, access controls, and cloud service configurations is critical for effectively investigating and containing cloud-native attacks.

This approach not only strengthens defenses against modern ransomware operations but ensures response capabilities are aligned with the real-world complexity of enterprise infrastructure.

BlackBasta TTPs Mapping

For a deeper dive into the activity described above, we’ve compiled a comprehensive list of BlackBasta TTPs in our GitHub repository. The resource includes full MITRE ATT&CK mappings and contextual details to help you align these techniques with your own cloud log data and detection efforts.

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7